How to: Set Security and Authentication on a Service Bus Application
Updated: July 1, 2015
This topic discusses how to authenticate a service and client application using Microsoft Azure Service Bus. For more information about setting transport and message-level security, see Securing and Authenticating a Service Bus Connection, and also the Securing Services topic in the Windows Communication Foundation (WCF) documentation.
If you are developing a service, you must first determine what type of credentials you will use to authenticate with Service Bus, and whether a client that connects to your service must authenticate. All services are required to authenticate with the Service Bus, using SAML, a shared secret, a simple Web token, or a Shared Access Signature (SAS) token. You may decide to have a different form of authentication for your service as you do for the client. For more information, see Choosing Authentication for a Service Bus Application.
If you are developing a client, determine what type of authentication credentials are required by the service to which you are connecting. This can be done in a variety of ways. This includes retrieving the information from the contract metadata. For more information, see How to: Design a WCF Service Contract for use with Service Bus.
Define a behavior that contains the specified
<transportClientEndpointBehavior>element, and also the relevant credentials.
The following code, from the WebHttp sample, shows how to declare and configure a shared secret credential.
<behaviors> <endpointBehaviors> <behavior name="sharedAccessSignatureClientCredentials"> <transportClientEndpointBehavior> <tokenProvider> <sharedAccessSignature keyName=”RootManageSharedAccessKey” key="**key**" /> </tokenProvider> </transportClientEndpointBehavior> </behavior> </endpointBehaviors> </behaviors>
In this procedure, the issuer name and secret are held directly in the App.config file. It is recommended that you implement some form of security on any configuration file that contains such security information.
Once you have defined the credentials in the App.config file, the application will use the security configuration automatically. There are no additional steps necessary.
Retrieve the security credentials:
Console.Write("SAS policy name: "); string sasPolicyName = Console.ReadLine(); Console.Write("Your SAS Key: "); string sasKey = Console.ReadLine();
As is common in Service Bus samples, this procedure uses a SAS policy name and key, and they are typed in directly.
Create the credential endpoint behavior object that contains the security credentials:
TransportClientEndpointBehavior clientBehavior = new TransportClientEndpointBehavior(); clientBehavior.TokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider(sasPolicyName, sasKey);
Create the channel factory to connect to the endpoint:
ChannelFactory<IEchoChannel> channelFactory = new ChannelFactory<IEchoChannel>("RelayEndpoint", new EndpointAddress(serviceUri));
Apply the credentials to the channel factory:
Once you have applied the credentials to the channel factory, you can open a connection to the endpoint and access Service Bus.